TCP FIN scan
advICE :Intrusions : 2000305

Summary

A hacker is scanning your system using a "stealth" method.

Details

A common hacker activity on the Internet is TCP scanning, which looks for what's available on a system that can be attacked. However, successful connections are often logged by normal system components. Therefore, the goal of the hacker is to find out if they can connect to the system without really connecting.

In this case, the attacker is using a method called a "FIN scan". It attempts to close a non-existent connection on the server. Either way, it is an error, but systems sometimes give back different error results depending upon whether the desired service is available or not.

As a result, the attacker doesn't trigger the normal logging of the system. However, this type of scan does result in weird network traffic, which is easily detectable by an Intrusion Detection System.

Defense

Many firewall systems block such scans.

parametric information port The TCP destination port flags The TCP flags from the offending frame. The flags are: S (SYN), F (FIN), R (RESET), P (PUSH), A (ACK), U (URGENT), 4 (low-order unused bit), 8 (high-order unused bit) options The TCP options from the offending frame. The options are displayed as "option-value", separated by commas. No-ops are not displayed

 
Version appeared: 1.8.5.5